在 docker osixia LDAP 中的访问权限
Access right in docker osixia LDAP
我有一个使用 LDIF 初始化的有效 OpenLDAP 安装。我想在 osixia/docker-openldap 中填充相同的数据。数据已加载,但只有管理员可以看到它们。来自 LDIF 的用户看不到自己的分支。
extend-osixia-openldap\environment\my-env.startup.yaml
LDAP_DOMAIN: centaur.tld
extend-osixia-openldap\bootstrap\ldif\demo_data.ldif
dn: cn=ldapadm,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: person
cn: ldapadm
sn: LDAP Manager
userpassword: VerySecret
dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=ldapadm,dc=centaur,dc=TLD" write
by anonymous auth
by * none
olcAccess: {2}to *
by self read
by * read
dn: ou=ABC,dc=centaur,dc=tld
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: ABC
dn: ou=people,ou=ABC,dc=centaur,dc=tld
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: people
dn: cn=manager,ou=people,ou=ABC,dc=centaur,dc=tld
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: manager
sn: Manager
userpassword: VerySecret
Shell
>docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b ou=people,ou=ABC,dc=centaur,dc=TLD -D "cn=manager,ou=people,ou=ABC,dc=centaur,dc=TLD" -w VerySecret
# search result
search: 2
result: 32 No such object
>docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b ou=people,ou=ABC,dc=centaur,dc=TLD -D "cn=admin,dc=centaur,dc=TLD" -w admin
# search result
search: 2
result: 0 Success
# numResponses: 11
# numEntries: 10
此配置也不起作用:
olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=ldapadm,dc=centaur,dc=TLD" write by anonymous auth by * none
olcAccess: to * by self read by dn="cn=ldapadm,dc=centaur,dc=TLD" write by * none
olcAccess: to * by self write by * read
如何配置此图像以便新用户可以浏览其内容?
更新
似乎我的配置没有应用:
docker exec %CONTAINER% ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))"
olcSuffix: dc=centaur,dc=TLD
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=centaur,dc=TLD" write by anonymous auth by * none
olcAccess: {2}to * by self read by dn="cn=admin,dc=centaur,dc=TLD" write by
dn="cn=readonly,dc=centaur,dc=TLD" read by * none
这是我的工作设置。问题是让环境变量 LDAP_READONLY_USER: true 导致覆盖我的安全导入 (osixia/docker-openldap/issues/456)。
目录层次结构
98-data.ldif
dn: cn=ldapadm,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: person
cn: ldapadm
sn: LDAP Manager
userpassword: VerySecret
dn: ou=ABC,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: ABC
dn: cn=manager,ou=ABC,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: manager
givenName: Eve
sn: Manager
displayName: Eve Manager
userpassword: VerySecret
99-config.ldif
dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: to attrs=userPassword,shadowLastChange
by self write
by dn="cn=ldapadm,dc=centaur,dc=TLD" write
by anonymous auth
by * none
olcAccess: to * by self read
by dn="cn=admin,dc=centaur,dc=TLD" write
by dn="cn=ldapadm,dc=centaur,dc=TLD" write
by users read
by * none
我的-env.startup.yaml
LDAP_ORGANISATION: Centaur
LDAP_DOMAIN: centaur.TLD
LDAP_ADMIN_PASSWORD: admin
LDAP_CONFIG_PASSWORD: config
LDAP_READONLY_USER: false
LDAP_TLS: false
LDAP_TLS_ENFORCE: false
Dockerfile
FROM osixia/openldap:1.4.0
MAINTAINER Leos Literak <leos.literak@DOMAIN.TLD>
ADD bootstrap /container/service/slapd/assets/config/bootstrap
ADD certs /container/service/slapd/assets/certs
ADD environment /container/environment/01-custom
命令
docker build -t leos/ABC-ldap:0.0.13 --rm .
docker ps
set CONTAINER=dbad6fe6798e
docker run -p 389:389 -p 636:636 --detach leos/ABC-ldap:0.0.13 --loglevel debug
docker exec %CONTAINER% ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))"
docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b dc=centaur,dc=TLD -D "cn=admin,dc=centaur,dc=TLD" -w admin
docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b dc=centaur,dc=TLD -D "cn=manager,ou=ABC,dc=centaur,dc=TLD" -w VerySecret
docker stop %CONTAINER%
我有一个使用 LDIF 初始化的有效 OpenLDAP 安装。我想在 osixia/docker-openldap 中填充相同的数据。数据已加载,但只有管理员可以看到它们。来自 LDIF 的用户看不到自己的分支。
extend-osixia-openldap\environment\my-env.startup.yaml
LDAP_DOMAIN: centaur.tld
extend-osixia-openldap\bootstrap\ldif\demo_data.ldif
dn: cn=ldapadm,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: person
cn: ldapadm
sn: LDAP Manager
userpassword: VerySecret
dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=ldapadm,dc=centaur,dc=TLD" write
by anonymous auth
by * none
olcAccess: {2}to *
by self read
by * read
dn: ou=ABC,dc=centaur,dc=tld
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: ABC
dn: ou=people,ou=ABC,dc=centaur,dc=tld
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: people
dn: cn=manager,ou=people,ou=ABC,dc=centaur,dc=tld
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: manager
sn: Manager
userpassword: VerySecret
Shell
>docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b ou=people,ou=ABC,dc=centaur,dc=TLD -D "cn=manager,ou=people,ou=ABC,dc=centaur,dc=TLD" -w VerySecret
# search result
search: 2
result: 32 No such object
>docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b ou=people,ou=ABC,dc=centaur,dc=TLD -D "cn=admin,dc=centaur,dc=TLD" -w admin
# search result
search: 2
result: 0 Success
# numResponses: 11
# numEntries: 10
此配置也不起作用:
olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=ldapadm,dc=centaur,dc=TLD" write by anonymous auth by * none
olcAccess: to * by self read by dn="cn=ldapadm,dc=centaur,dc=TLD" write by * none
olcAccess: to * by self write by * read
如何配置此图像以便新用户可以浏览其内容?
更新
似乎我的配置没有应用:
docker exec %CONTAINER% ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))"
olcSuffix: dc=centaur,dc=TLD
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=centaur,dc=TLD" write by anonymous auth by * none
olcAccess: {2}to * by self read by dn="cn=admin,dc=centaur,dc=TLD" write by
dn="cn=readonly,dc=centaur,dc=TLD" read by * none
这是我的工作设置。问题是让环境变量 LDAP_READONLY_USER: true 导致覆盖我的安全导入 (osixia/docker-openldap/issues/456)。
目录层次结构
98-data.ldif
dn: cn=ldapadm,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: person
cn: ldapadm
sn: LDAP Manager
userpassword: VerySecret
dn: ou=ABC,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: ABC
dn: cn=manager,ou=ABC,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: manager
givenName: Eve
sn: Manager
displayName: Eve Manager
userpassword: VerySecret
99-config.ldif
dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: to attrs=userPassword,shadowLastChange
by self write
by dn="cn=ldapadm,dc=centaur,dc=TLD" write
by anonymous auth
by * none
olcAccess: to * by self read
by dn="cn=admin,dc=centaur,dc=TLD" write
by dn="cn=ldapadm,dc=centaur,dc=TLD" write
by users read
by * none
我的-env.startup.yaml
LDAP_ORGANISATION: Centaur
LDAP_DOMAIN: centaur.TLD
LDAP_ADMIN_PASSWORD: admin
LDAP_CONFIG_PASSWORD: config
LDAP_READONLY_USER: false
LDAP_TLS: false
LDAP_TLS_ENFORCE: false
Dockerfile
FROM osixia/openldap:1.4.0
MAINTAINER Leos Literak <leos.literak@DOMAIN.TLD>
ADD bootstrap /container/service/slapd/assets/config/bootstrap
ADD certs /container/service/slapd/assets/certs
ADD environment /container/environment/01-custom
命令
docker build -t leos/ABC-ldap:0.0.13 --rm .
docker ps
set CONTAINER=dbad6fe6798e
docker run -p 389:389 -p 636:636 --detach leos/ABC-ldap:0.0.13 --loglevel debug
docker exec %CONTAINER% ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))"
docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b dc=centaur,dc=TLD -D "cn=admin,dc=centaur,dc=TLD" -w admin
docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b dc=centaur,dc=TLD -D "cn=manager,ou=ABC,dc=centaur,dc=TLD" -w VerySecret
docker stop %CONTAINER%